Sniffing Out Packet Sniffers

In a large enough enterprise, malevolent hackers may use on-site packet sniffing to learn the ins and outs of your network. How can you detect this problem, and what can you do about it? Brien M. Posey offers the techniques necessary to track down unwarranted sniffing.

One of the oldest methods of stealing information off of a network is through packet sniffing. In case you aren't familiar with the term, packet sniffing refers to the technique of copying each packet as it flows across the network. While this may prove a boon for network managers for traffic analysis, it also allows access to malevolent hackers. Today, protocols such as IPSec are designed to prevent packet sniffing by encrypting packets. However, many networks have not yet employed this encryption technology, or are only encrypting a portion of their data. Because of this, packet sniffing is still a viable method for stealing information.

The reason that packet sniffing works is due to the way Ethernet networks send their packets. Any time that a PC sends out a packet, it is sent out as a broadcast. This means that every PC on the network sees the packet. However, every PC is supposed to ignore the packet, except for its intended destination.

As mentioned, packet sniffing works by making a copy of each packet as it flows across the network. In the past, it has been difficult to tell if anyone on your network is engaging in packet sniffing. After all, no one is hacking into a server or anything, so the audit logs wouldn't indicate any sort of unusual activity. A person who's packet sniffing is merely reading information as it comes to them.

Fortunately, there are some tell-tale signs that may signal unauthorized interception. If the suspected hacker has limited resources, they may try to use the Network Monitor utility for packet sniffing. (A limited version of Network Monitor comes with Windows NT and Windows 2000, and a full-featured version comes with SMS Server.) Network Monitor is a good choice for the small time hacker because it's easy to come by and relatively easy to use, compared to some of the other packet sniffers that are available. Happily, it's really easy to tell if someone is using the Network Monitor utility. To do so, simply select the Identify Network Monitor Users command from Network Monitor's Tools menu.

What if the hacker is using one of the dozens of other available sniffing utilities? While there's no foolproof way to spot someone who's packet sniffing, there are some good indicators. Perhaps the best is your DNS database. Any time that a system needs to resolve a host's IP address, it sends a query that is based on the host name to a DNS server. The DNS server then looks up the host name in its database and returns the host's IP address. If a hacker were running a packet sniffing program that displayed host names (most of them do), then the machine doing the packet sniffing would generate an extremely large volume of DNS queries.